Security

INTRODUCTION

Security is one of the biggest considerations in everything we do. Gerald Technologies, Inc is governed by its internal Physical and Information Security Policies, a set of policies and procedures designed to keep Gerald Technologies, Inc data and customer data safe and restricts use of this data to their authorized use. Gerald Technologies, Inc performs its own internal audits at regular intervals to ensure ongoing compliance. If you have any questions after reading this, or encounter any issues, please let us know. This document is intended to provide further transparency about how we protect this important data.

CONFIDENTIALITY

We keep our data union safe by using high-grade encryption and the latest generation anti-malware software. Only authorized software engineers have access to information necessary for them to perform their job duties and when access is no longer needed, we make sure to remove it.

SECURITY PROGRAM

We regularly audit every layer of security. We maintain security procedures designed to ensure information we own, license and process is not accessed by any unauthorized person or business. We use a variety of multi-level security systems to control access to our services and information products.

NETWORK SECURITY

We’ve partnered with Amazon Web Services to provide a secure and reliable cloud environment for our software. We use a combination of load balancers, firewalls, and VPNs to ensure that network access is restricted on an as-needed basis. We limit access to our production infrastructure and strongly authenticate that access.

All network communication in the Gerald platform occurs over secure SSL/TLS. Our internal infrastructure rejects all packets sent on ports other than port 443 and redirects all unsecured port 80 requests over to port 443. We regularly audit the details of our implementation and the certificates that we serve.

In addition to SSL connections, automated data communication goes through additional encryption layers for enhanced security during transit and at rest for sensitive data.

ACCOUNT SECURITY

Gerald never stores your password in plaintext. All user passwords are stored using BCrypt2 with multiple rounds of hashing and a unique salt for each credential.

DATA STORAGE

All user data is encrypted at rest with AES256-CBC. Decryption keys are stored on separate machines. None of Gerald’s internal servers and daemons are able to obtain plaintext data. Gerald’s infrastructure for storing, decrypting, and transmitting user sensitive data doesn’t share any credentials with Gerald’s primary services (API, website, etc.).

Our database backups and file storage encrypt everything at rest. Each customer is scoped to view only their data and no one else's. Our database supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of database’s network traffic. TLS/SSL ensures that database network traffic is only readable by the intended client.

RELIABILITY

We backup all customer content at least once daily. We do not utilize portable or removable media for backups. All backups are encrypted with AES-256.

Encryption at rest, when used in conjunction with transport encryption and our security policies that protect relevant accounts, passwords, and encryption keys, ensures compliance with security and privacy standards, including PII, HIPAA, PCI-DSS, and FERPA.

MONITORING

All Gerald owned servers have quarterly security updates, and intrusion detection systems monitor for all possible security incidents.

OPERATIONS MANAGEMENT

All code changes and application updates to our data systems are reviewed for security issues before use. Gerald separates development, testing, storing, and production environments in different engineering segments.